Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sslv3 alert handshake failure when using SSL client auth #209

Closed
kelseyhightower opened this issue Oct 9, 2013 · 4 comments
Milestone

Comments

@kelseyhightower
Copy link
Contributor

@kelseyhightower kelseyhightower commented Oct 9, 2013

version: 0.1.1
os: Debian Wheezy amd64

I'm getting the following errors when trying to use SSL client auth with self signed certs. SSL without client auth works fine. This also fails on etcd tip.

etcd:

./etcd -c "0.0.0.0:4001" -s "0.0.0.0:7001" -clientCAFile /opt/ssl/certs/ca.crt \
-clientCert /opt/ssl/certs/client.crt -clientKey /opt/ssl/private/client.key \
-d /opt/clusters/test/nodes/node0 -n node0
[etcd] 16:44:34.688654 INFO Wrote node configuration to '/opt/clusters/test/nodes/node0/info'
[etcd] 16:44:34.689457 INFO etcd server [node0:https://0.0.0.0:4001]
[etcd] 16:44:34.690032 INFO raft server [node0:http://0.0.0.0:7001]

curl:

curl -v -L --key private/client.key --cert certs/client.crt --cacert certs/ca.crt \
-d value=bar https://192.168.12.131:4001/v1/keys/foo
* About to connect() to 192.168.12.131 port 4001 (#0)
*   Trying 192.168.12.131...
* connected
* Connected to 192.168.12.131 (192.168.12.131) port 4001 (#0)
* successfully set certificate verify locations:
*   CAfile: certs/ca.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
@xiang90

This comment has been minimized.

Copy link
Contributor

@xiang90 xiang90 commented Oct 9, 2013

@kelseyhightower Your key/cert need to add key usage extension.

@kelseyhightower

This comment has been minimized.

Copy link
Contributor Author

@kelseyhightower kelseyhightower commented Oct 9, 2013

That was it! If anyone else runs into this problem the solution was to add the following section to my openssl.cnf

[ ssl_client ]                                                                                                                                            
  basicConstraints = CA:FALSE
  nsCertType = client
  keyUsage = digitalSignature, keyEncipherment
  extendedKeyUsage = clientAuth
  nsComment = "OpenSSL Certificate for SSL Client"

Then when create the cert be sure to reference it in the -extensions flag:

openssl ca -config openssl.cnf -policy policy_anything -extensions ssl_client -out certs/node.crt -infiles node.csr
@kelseyhightower

This comment has been minimized.

Copy link
Contributor Author

@kelseyhightower kelseyhightower commented Oct 9, 2013

Thanks @xiangli-cmu

@xiang90

This comment has been minimized.

Copy link
Contributor

@xiang90 xiang90 commented Oct 9, 2013

@kelseyhightower no problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
2 participants
You can’t perform that action at this time.